b'   United States Department of Agriculture\n   Office of Inspector General\n\n\n\n\nFollow Up on APHIS\' Implementation of the\nSelect Agent or Toxin Regulations\n\n\n\n\n                                             Audit Report 33701-0001-AT\n                                             November 2012\n\x0c                           United States Department of Agriculture\n                                  Office of Inspector General\n                                   Washington, D.C. 20250\n\n\n\n\nDATE:          November 6, 2012\n\nAUDIT\nNUMBER:        33701-0001-AT\n\nTO:            Kevin Shea\n               Acting Administrator\n               Animal and Plant Health Inspection Service\n\nATTN:          Joanne L. Munno\n               Deputy Administrator\n               Marketing Regulatory Program Business Services\n\nFROM:          Gil H. Harden\n               Assistant Inspector General for Audit\n\nSUBJECT:       Follow Up on APHIS\xe2\x80\x99 Implementation of the Select Agent or Toxin Regulations\n\n\nThis report presents the results of the subject audit. Your written response to the official draft,\ndated September 28, 2012, is included in its entirety at the end of the report. Excerpts from your\nresponse and the Office of Inspector General\xe2\x80\x99s (OIG) position are incorporated in the relevant\nFindings and Recommendations sections of the report. Based on your responses, we were able\nto accept management decision on Recommendations 4, 6, and 12. However, we are unable to\naccept management decision on Recommendations 1, 2, 3, 5, 7, 8, 9, 10, and 11. Documentation\nor action needed to reach management decision for these recommendations is described under\nthe relevant OIG Position sections.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days,\ndescribing the corrective actions taken or planned, and timeframes for implementing the\nrecommendations for which management decisions have not been reached. Please note that the\nregulation requires management decision to be reached on all recommendations within 6 months\nfrom report issuance, and final action to be taken within 1 year of each management decision to\nprevent being listed in the Department\xe2\x80\x99s annual Performance and Accountability Report. Please\nfollow your internal agency procedures in forwarding final action correspondence to the Office\nof the Chief Financial Officer.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions.\n\x0c\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\nBackground and Objectives ....................................................................................4\nSection 1: APHIS Oversight ...................................................................................7\n  Finding 1: APHIS Needs to Strengthen Controls Over Critical Areas in the\n  Select Agent Program...........................................................................................7\n      Recommendation 1 ......................................................................................11\n      Recommendation 2 ......................................................................................12\n      Recommendation 3 ......................................................................................12\n      Recommendation 4 ......................................................................................13\nSection 2: Registered Entity Compliance Issues ................................................14\n  Finding 2: APHIS Allowed Transfers of Select Agents to Unregistered\n  Entities Without Approved Security Plans ......................................................14\n      Recommendation 5 ......................................................................................15\n  Finding 3: Entities Did Not Adhere to Access Security Requirements ........17\n      Recommendation 6 ......................................................................................19\n      Recommendation 7 ......................................................................................19\n      Recommendation 8 ......................................................................................20\n      Recommendation 9 ......................................................................................21\n  Finding 4: Persons with Access to Select Agents Did Not Possess Updated\n  SRAs .....................................................................................................................22\n      Recommendation 10 ....................................................................................23\n  Finding 5: Responsible Officials and Employees Lacked Required Biosafety\n  and Security Training ........................................................................................24\n      Recommendation 11 ....................................................................................25\n      Recommendation 12 ....................................................................................26\nScope and Methodology .........................................................................................28\nExhibit A: Summary of SRA Renewal Deficiencies ..........................................30\nAbbreviations .........................................................................................................31\nAgency\xe2\x80\x99s Response .................................................................................................33\n\x0c\x0cFollow Up on APHIS\xe2\x80\x99 Implementation of the Select Agent or Toxin\nRegulations\n\nExecutive Summary\nAfter the events of September 11, 2001, the Government took a number of steps to strengthen\nhomeland security. The Public Health Security and Bioterrorism Preparedness and Response\nAct of 20021 (Public Law 107-188, signed June 12, 2002 (hereafter referred to as \xe2\x80\x9cthe Act\xe2\x80\x9d))\nincluded provisions for enhancing controls over dangerous biological agents and toxins. The Act\naddressed the lack of authority for the Secretary of Agriculture to regulate possession of\nbiological agents that, through acts of bioterrorism, could have a devastating impact on the\ndomestic agricultural economy. With passage of the Act, the Secretary of Agriculture was\nrequired to promulgate regulations to provide for the establishment and enforcement of standards\nand procedures governing the possession, use, and transfer of select agents or toxins, including\nsecurity measures and controls to limit access to only those individuals that have a legitimate\nneed to handle or use such agents or toxins. The Animal and Plant Health Inspection Service\n(APHIS) was delegated authority to administer the regulations for the Department of\nAgriculture.\n\nIn prior audits of APHIS\xe2\x80\x99 select agent program,2 we found that APHIS had not established a\nconsistent and thorough inspection structure. In response to our recommendations, APHIS\nestablished controls to ensure registered entities complied with security regulations, including\nenhancing its reviews of entity security plans. In addition, APHIS enhanced its inspection\nprocess by requiring inspectors to observe security procedures to verify compliance with the\nsecurity plan and determine whether entities\xe2\x80\x99 controls were in accordance with program\nregulations. The primary objective of this audit was to follow up on our prior audits and assess\nwhether APHIS\xe2\x80\x99 new controls are effectively ensuring that registered entities comply with\nregulations governing the possession, use, and transfer of select agents. We selected 7 of\n59 entities that were registered to possess or use select agents to assess their compliance with\nselect agent regulations and determine whether APHIS was effectively overseeing the select\nagent program at these entities.\n\nAlthough APHIS has made progress in establishing controls over the select agent program since\nour last audit, we found that APHIS needs to strengthen its internal controls over the critical\nprogram areas related to monitoring the movement of select agents to alternate facilities,\ncontrolling access to select agents, ensuring that individuals handling select agents have up-to-\ndate security clearances, and ensuring that responsible officials (RO) are adequately trained. Our\naudit discovered deficiencies in these critical areas because APHIS did not always (1) ensure\neffective monitoring of ongoing activities, (2) fully address identified risks, or (3) ensure\neffective communication within the select agent program. We found deficiencies where\n\n1\n  Title II, Subtitle B of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 is cited\nas the Agricultural Bioterrorism Protection Act of 2002.\n2\n  APHIS Evaluation of the Implementation of the Select Agent or Toxin Regulations, Phase I (Audit Report 33601-\n0002-AT, dated June 23, 2005) and APHIS Evaluation of the Implementation of the Select Agent or Toxin\nRegulations, Phase II (Audit Report 33601-0003-AT, dated January 17, 2006).\n\n\n                                                                    AUDIT REPORT 33701-0001-AT                     1\n\x0cinspector training and procedures performed did not always ensure that monitoring inspections\nidentified program vulnerabilities. APHIS did not have adequate controls to ensure that\nlegislatively required Department of Justice security risk assessments (SRA) for individuals\npossessing or using select agents were up-to-date. Finally, APHIS\xe2\x80\x99 lack of effective internal and\nexternal communication resulted in violations going undetected, such as (1) the transfer of select\nagents causing anthrax (Bacillus anthracis)3 and the plague (Yersinia pestis)4 to an unregistered\nfacility and (2) access granted to personnel with expired security risk assessments to areas\ncontaining select agents at four of the seven entities we reviewed. These communication\nbreakdowns increased the risk that select agents could be accessed by unauthorized personnel\nand potentially misused.\n\nFinally, at five of the seven entities ROs or alternate ROs did not have documentation of their\nrequired biosafety or biocontainment and security training. APHIS did not require ROs or\nalternate ROs to have specific training related to their select agent program oversight\nresponsibilities. Without appropriate training, ROs or alternate ROs could be providing incorrect\nor incomplete information to their employees, thus heightening the risk to the health of persons,\nplants, or animals. Additionally, all seven entities that we reviewed either did not ensure that all\nemployees received the required training or did not maintain complete training records for their\nemployees.\n\nRecommendation Summary\nTo strengthen internal controls for monitoring program activities, addressing identified risks, and\neffectively communicating information about the select agent program, we recommend that\nAPHIS revise inspection procedures to include steps for sampling and reviewing access logs;\nestablish agency security policies and procedures for handling requests from registered entities to\ntransfer select agents, under special circumstances; provide guidance to its registered entities to\nclarify the restricted access requirements; notify each registered entity to clarify that the RO must\nensure that SRA renewals are timely, prior to expiration; and develop and conduct training for all\nROs and alternate ROs that provides the knowledge necessary to effectively oversee the select\nagent program.\n\nAgency Response\nIn its September 28, 2012, response to the official draft report, APHIS agreed with 3 of the\n12 recommendations. Although APHIS did not agree with two of the recommendations, it\nproposed corrective actions that address the concerns identified by the Office of Inspector\nGeneral (OIG). Excerpts from the response and OIG\xe2\x80\x99s position have been incorporated into the\nrelevant sections of the report. The written response is included in its entirety at the end of the\nreport.\n\n\n\n3\n  Bacillus anthracis is the bacterium that causes anthrax. It is considered one of the most serious bioterrorism\nthreats.\n4\n  Yersinia pestis is the bacterium that causes the plague. It is considered one of the most serious bioterrorism\nthreats.\n\n\n2     AUDIT REPORT 33701-0001-AT\n\x0cOIG Position\nThe agency in their response expressed concerns that certain language in the report was unduly\nalarming and suggested that it should be revised or removed from the audit report. In\nconsidering management concerns, we revised certain language in the report. Further, we accept\nAPHIS\xe2\x80\x99 management decision for Recommendations 4, 6, and 12, however for recommendations\n1, 2, 3, 5, 7, 8, 9, 10, and 11, we were unable to reach management decision. We have provided\nour comments and a description of actions needed to reach management decision for each of\nthese recommendations in the OIG Position section of the report.\n\n\n\n\n                                                       AUDIT REPORT 33701-0001-AT           3\n\x0cBackground and Objectives\n\nBackground\nBiological agents and toxins that pose a severe risk to plant and animal health or to animal and\nplant products, such as bovine spongiform encephalopathy (BSE),5 are regulated by the\nDepartment of Agriculture (USDA) as \xe2\x80\x9cselect agents or toxins\xe2\x80\x9d (hereafter referred to as \xe2\x80\x9cselect\nagents\xe2\x80\x9d). The Agricultural Bioterrorism Protection Act of 20026 (hereafter referred to as \xe2\x80\x9cthe\nAct\xe2\x80\x9d) gives the USDA authority to designate certain plant and animal biological agents and\ntoxins as select agents by listing them in the Federal Register on a biennial basis.\n\nThe Act also requires that the Secretary of Health and Human Services (HHS) establish and\nmaintain a list of select agents that have the potential to pose a severe threat to public health and\nsafety (public health being focused on humans instead of plants and animals). Where HHS and\nUSDA list some of the same agents, known as overlap agents, 7 the two departments coordinate.8\nIn USDA, the Animal and Plant Health Inspection Service (APHIS) enforces the Act, while in\nHHS, the Centers for Disease Control and Prevention (CDC) enforces the Act. Further, the Act\nrequires that a national database be established to identify the names of persons, location, and\nidentification of the select agents that are possessed, used, or transferred by the registered\nentities. To accomplish this, CDC established and APHIS uses the National Select Agent\nRegistry (NSAR) database.\n\nAPHIS and CDC regulate select agents by establishing and enforcing:\n\n    \xc2\xb7    Safety procedures for the transfer of listed agents, including measures to ensure proper\n         training and appropriate skills to handle select agents, and proper laboratory facilities to\n         contain and dispose of select agents;\n    \xc2\xb7    Security measures to prevent access to select agents for use in domestic or international\n         terrorism or for any other criminal purpose; and\n    \xc2\xb7    Procedures to protect public safety, animal and plant health, as well as animal and plant\n         products, in the event of a transfer or potential transfer of select agents in violation of the\n         established safety procedures or established safeguards and security measures.\n\nAll entities that possess, use, or transfer these select agents must register with the appropriate\nregulatory agency, APHIS or CDC, depending on the type of select agents the entity possesses.\nEntities with overlap agents may choose to register with either APHIS or CDC, but registration\n\n\n5\n  BSE, widely referred to as "mad cow disease," is a chronic degenerative disease affecting the central nervous\nsystem of cattle. All infected cattle die. There is neither any treatment nor a vaccine to prevent the disease.\n6\n  Title II, Subtitle B of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 is cited\nas the Agricultural Bioterrorism Protection Act of 2002.\n7\n  Overlap agents are those agents that may affect both animal and human health.\n8\n  For select agents that are designated as overlap agents, CDC and APHIS are to coordinate to minimize conflicts\nbetween regulations and program activities and administrative burdens, subject to regulation by both APHIS and\nCDC.\n\n\n4       AUDIT REPORT 33701-0001-AT\n\x0cwith both agencies is not required. Currently,9 50 entities\xe2\x80\x94including government agencies,\nacademic institutions, corporations, associations, and other legal entities\xe2\x80\x94are registered with\nAPHIS to possess, use, and transfer select agents. An entity may have multiple facilities under\nits purview; however, each facility is, by itself, a separate registered entity. Registered entities\nare defined as facilities at one physical location (such as a room, a building, or a group of\nbuildings) where the responsible official (RO) will be able to perform all the responsibilities of\nthe Select Agent Program.10\n\nEach entity must designate a RO who is responsible for day-to-day program administration and\ncompliance. The entity may also designate one or more alternate ROs, who may act in the\nabsence of the RO. As part of the registration process, the entities\xe2\x80\x99 RO, the alternate RO, the\nentity, and the individual who owns or controls the entity,11 must undergo a security risk\nassessment (SRA) by the Criminal Justice Information Service (CJIS) Division of the\nDepartment of Justice.12 Moreover, all individuals who handle or use select agents must undergo\nan SRA by the CJIS Division.\n\nA Federal working group13 established to identify and remedy potential gaps in biosecurity\nrecommended that individuals who handle select agents undergo a renewed SRA every 3 years,\nas opposed to the previous timeline of every 5 years.14 APHIS and CDC accepted this\nrecommendation and, as of June 1, 2011, began requiring individuals to have their SRA renewed\nevery 3 years.\n\nWhen an entity registers with APHIS, it submits a site-specific security plan detailing the\nphysical security of the select agents and the laboratories that house them.15 In addition, the\nentity submits biosafety, biocontainment,16 and incident response plans.17 APHIS performs a\n\n9\n  As of May 2012.\n10\n   Registration is location specific; therefore, APHIS would classify a single corporation that owns three different\nfacilities at distant locations handling select agents as three separate entities.\n11\n   Owning or controlling individuals undergo an SRA when applicable.\n12\n   The SRA is the method used by the CJIS to evaluate an individual\'s suitability to access select agents.\nSpecifically, to determine whether the individual meets any of the statutory restrictors that would restrict them to\naccess to select agents.\n13\n   The working group includes the Secretaries of Defense, HHS, State, Agriculture, Transportation, and Homeland\nSecurity, or their designees.\n14\n   Executive Order 13486, Strengthening Laboratory Biosecurity in the United States, January 2009, established the\nworking group.\n15\n   7 Code of Federal Regulations (CFR) 331.11(c)(d) and 9 CFR 121.11(c)(d) require that the security plan contain,\namong other things, provisions for securing the area (e.g., card access, locks); provisions for controlling access to\nthe select agents; provisions for routine cleaning, maintenance, and repairs; provisions for ensuring that all\nindividuals with access understand and comply with the security procedures; and allow access only to individuals\nwith access approval from APHIS.\n16\n   7 CFR 331.12(a)(b) and 9 CFR 121.12(a)(b) require the entity to develop and implement biosafety and/or\nbiocontaiment plans detailing the procedures to ensure biosafety and containment. The procedures must be\nsufficient to contain the select agent (e.g., physical structure and features of the entity, and operational and\nprocedural safeguards).\n17\n   7 CFR 331.14(a)(b) and 9 CFR 121.14(a)(b) require the entity to develop and implement an incident response\nplan that details the entity\xe2\x80\x99s response procedures for events such as theft, loss, or release of select agents; security\nbreaches; severe weather and other natural disasters; suspicious packages; and emergencies such as fire, gas leak,\npower outage, etc.\n\n\n                                                                      AUDIT REPORT 33701-0001-AT                       5\n\x0cdetailed review of the security, biosafety, biocontainment, and incident response plans and\ninspects the entity\xe2\x80\x99s facility and laboratories where select agents will be used or stored. After the\ninitial registration is approved, APHIS performs a detailed inspection every 3 years as part of its\nregistration renewal process. It follows up with annual compliance reviews that target certain\nissues, such as annual recordkeeping requirements, requirements to conduct drills and exercises,\nand accuracy of inventory records, based on the history or concerns with the entity. Compliance\ninspections are normally unannounced, and are designed to close the gap between the 3-year\ninspection cycles.\n\nAPHIS has 10 staff from Veterinary Services and 5 staff from Plant Protection and\nQuarantine (PPQ) assigned to the select agent program. Four veterinary medical officers are\nprimarily responsible for overseeing registered entities. The PPQ director is responsible for\noverseeing entities that possess only plant-related select agents.\n\nIn July 2010, the President issued an executive order creating a tiered approach to classifying\nselect agents, identifying a subset of select agents as Tier 1 agents, which are those with the\ngreatest risk \xe2\x80\x9cof deliberate misuse with most significant potential for mass casualties or\ndevastating effects to the economy, critical infrastructure, or public confidence.\xe2\x80\x9d18 For Tier 1\nagents, APHIS must revise its regulations to establish security standards specific to those agents.\nAPHIS published the proposed list of Tier 1 agents on October 3, 2011. The executive order\nalso created the Federal Experts Security Advisory Panel (FESAP) to make recommendations\nregarding biosecurity measures for the select agent program. FESAP\xe2\x80\x99s recommendations will be\naddressed during the next round of regulation revisions and FESAP will remain active through\n2014.\n\nOur 2005 review of the select agent program identified significant issues with APHIS\xe2\x80\x99\nimplementation of controls to prevent unauthorized access to select agents.19 For example,\nAPHIS had not established policies and procedures to ensure consistent and thorough security\ninspections. Our subsequent review of the program in 2006 confirmed the initial findings.20\nSince our 2006 review, APHIS has implemented several changes to program operations in\nresponse to issues identified in prior audits, including implementing a national database of select\nagents, training those conducting inspections, and creating a series of checklists for conducting\ninspections.21\n\nObjective\nThe objective of this audit was to follow up on our prior audits and assess whether APHIS\xe2\x80\x99 new\ncontrols were effectively ensuring that registered entities comply with regulations governing the\npossession, use, and transfer of select agents.\n\n18\n   Executive Order 13546, Optimizing the Security of Biological Select Agents and Toxins in the United States,\nSection 4, July 2, 2010.\n19\n   APHIS Evaluation of the Implementation of the Select Agent or Toxin Regulations, Phase I (33601-0002-AT,\n June 23, 2005).\n20\n   APHIS Evaluation of the Implementation of the Select Agent or Toxin Regulations, Phase II (33601-0003-AT,\n January 17, 2006).\n21\n   Management decision was achieved and the agency has stated that it completed final action on all previous audit\n recommendations for our 2005 and 2006 reviews.\n\n\n6     AUDIT REPORT 33701-0001-AT\n\x0cSection 1: APHIS Oversight\n\nFinding 1: APHIS Needs to Strengthen Controls Over Critical Areas in the\nSelect Agent Program\nAPHIS needs to strengthen the internal controls related to moving select agents to alternate\nfacilities, controlling access to select agents, ensuring that individuals handling select agents\nhave up-to-date security clearances, and ensuring that ROs are adequately trained. These\ninternal control deficiencies occurred because APHIS did not always (1) ensure effective\nmonitoring of ongoing activities, (2) fully address identified risks, or (3) ensure effective\ncommunication within the select agent program. As a result, there is increased risk of the misuse\nof select agents and the potential for serious security violations going undetected.\n\nThe Office of Management and Budget Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for\nInternal Control,\xe2\x80\x9d states that management has a fundamental responsibility to develop and\nmaintain effective internal control. The Government Accountability Office Standards for\nInternal Control in the Federal Government22 established five goals for internal controls. The\nfirst goal calls for Government agencies to establish a control environment that sets a \xe2\x80\x9cpositive\nand supportive attitude toward internal control and conscientious management.\xe2\x80\x9d These goals\nalso include monitoring program activities; addressing identified risks; effectively\ncommunicating information; establishing policies, procedures, techniques, and mechanisms that\nenforce management\xe2\x80\x99s directions.\n\nSince our prior audits, APHIS has improved its program administration. Previously, we found\nthat APHIS had not established a consistent and thorough inspection structure. In response to\nour recommendations, APHIS established controls to ensure entities complied with security\nregulations, including enhancing its reviews of entity security plans. In addition, APHIS\nenhanced its inspection process by requiring inspectors to observe security procedures to verify\ncompliance with the security plan and determine whether entities\xe2\x80\x99 controls accord with program\nregulations. While APHIS has made progress, the executive and regulatory authorities continue\nto emphasize enhancing security over select agents. In July 2010, an executive order23 instructed\nAPHIS and CDC to increase coordination, security, and oversight for agents and toxins with the\nhighest risk, such as those causing anthrax (Bacillus anthracis)24 and the plague\n(Yersinia pestis).25 We determined that continued efforts are needed to strengthen APHIS\xe2\x80\x99\ninternal control environment in the areas of monitoring, risk assessment, and communication to\nfurther enhance security for these and other high risk pathogens.\n\n\n\n22\n   GAO/AIMD-00-21.3.1, Standards for Internal Control in the Federal Government, dated November 1999, and\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, dated December 2004.\n23\n   Executive Order 13546, Optimizing the Security of Biological Select Agents and Toxins in the United States,\nJuly 2, 2010.\n24\n   Bacillus anthracis is the bacterium that causes anthrax. It is considered one of the most serious bioterrorism\nthreats.\n25\n   Yersinia pestis is the bacterium that causes the plague. It is considered one of the most serious bioterrorism\nthreats.\n\n\n                                                                    AUDIT REPORT 33701-0001-AT                      7\n\x0cMonitoring Ongoing Activities\n\nAPHIS has established monitoring procedures and security checklists and conducted inspector\ntraining to determine whether the programs\xe2\x80\x99 legislative requirements are met. However, we\nfound that the inspector training and procedures performed did not always ensure that monitoring\ninspections identified program vulnerabilities. We found that APHIS\xe2\x80\x99 inspection procedures for\nmonitoring registered entities did not include specific steps to review access logs to ensure that\nonly authorized individuals were allowed access to areas with select agents. The inspection\nprocedures also did not include steps to identify individuals whose SRAs had expired. Finally,\nthe inspection procedures did not include steps to ensure consistency in reviewing whether\nentities were complying with training requirements.\n\nFor instance, while legislation clearly identifies unauthorized access to select agents as a major\nrisk, APHIS\xe2\x80\x99 checklist/procedures for inspecting physical security did not require its inspectors\nto check entities\xe2\x80\x99 access logs to ensure that unauthorized individuals are not allowed in areas\nwhere select agents are stored or used. The security review checklist directs inspectors to\ndetermine whether entities \xe2\x80\x9callow access only to individuals with access approval from the HHS\nsecretary or APHIS administrator.\xe2\x80\x9d APHIS\xe2\x80\x99 training material for inspectors addresses onsite\nobservations of individuals accessing areas where select agents are stored or used during the\ninspection, but it does not instruct inspectors to include an examination of previous log book\nentries or other documented entries, such as electronic keycard access records. Three of seven\nentities reviewed allowed unauthorized access into areas where select agents were used or stored\n(see Finding 3). However, APHIS\xe2\x80\x99 inspections did not identify these conditions because\ninspection procedures did not include steps to review access logs or access privileges.26 APHIS\nofficials told us that methods for access log reviews should have been covered during the\ninspectors\xe2\x80\x99 training and that the issue should be emphasized in future training. We concluded\nthat inspection checklists should also include steps to review access logs and access privileges.\n\nAPHIS\xe2\x80\x99 inspections also did not identify other deficiencies, such as individuals with expired\nSRAs having access to select agents (see Finding 4), and entities that did not perform required\nsecurity training or adequately document it (see Finding 5). In regard to expired SRAs, the\nAPHIS inspection guidance does not include steps to identify individuals with expired SRAs. As\nfor training deficiencies, officials said that their intent was for inspectors to review all training\nrecords for a given period. However, the inspection guidance does not specify this requirement,\nnor does it instruct inspectors how to assess training records. 27 The checklist also does not\nrequire inspectors to document the time period covered by records reviewed during their\ninspection. Without documentation of the time period, APHIS is hampered in tracking and\nevaluating registered entities\xe2\x80\x99 progress in correcting identified inspection deficiencies. Also, in\nthe event of a security incident, APHIS would be unable to definitively state whether an\ninspection covered a particular time period.\n\n26\n   Access privilege is the ability to gain access to areas where select agents are used or stored. For example,\nindividuals who have been granted keycard access to areas where select agents are used or stored have access\nprivileges.\n27\n   The inspection checklist states that training records should include the names, dates, descriptions, and means used\nto verify employees understood the training. The checklist does not indicate how many records should be reviewed\nor what constitutes adequate documentation of employee understanding.\n\n\n8     AUDIT REPORT 33701-0001-AT\n\x0cFully Addressing Identified Risks\n\nOne of the most significant risks in the select agent program is that an individual might gain\naccess to a select agent and deliberately misuse it in a terrorist act.28 A key control to mitigate\nthis risk is included in the original legislation creating the select agent program, and requires that\nindividuals seeking to possess or use select agents must, by law, be vetted by the Department of\nJustice. This requirement and process is to ensure that restricted persons are not allowed to work\nwith select agents. Every 3 years the SRA for an individual must be renewed. We found that\nAPHIS was not ensuring that registered entities were keeping up-to-date SRAs for individuals\npossessing or using select agents. Even though entities\xe2\x80\x99 ROs are required to ensure that the\nSRAs are up-to-date, APHIS was unaware that SRAs were being allowed to expire, due to\ninaccurate information contained in the NSAR database.29 During our review at 7 registered\nentities, we found that SRA approval for 11 individuals at 4 entities lapsed for periods of time\nranging from 14 to 478 days (see Finding 4).\n\nAPHIS does not have an effective automated system to track the SRA renewals. Instead, the\nagency manually compares information from the CJIS database, maintained by the Department\nof Justice, to data that were manually entered into the NSAR database. This manual process is\nmore prone to errors because it relies on both manual input and comparison of data. An APHIS\nofficial told us that it is the RO\xe2\x80\x99s responsibility to ensure that all individuals with access to select\nagents have an approved SRA. However, APHIS has the responsibility to monitor the program\nand ensure that the registered entities are complying with select agent laws and regulations.\n\nEffective Communication within the Select Agent Program\n\nAPHIS\xe2\x80\x99 lack of effective internal and external communication resulted in violations going\nundetected, such as the transfer of select agents to an unregistered facility and access granted to\nunauthorized personnel to areas containing select agents, due to expired security clearances.\nThese communication breakdowns increased the risk that select agents could be released,\nmisused, or diverted for terrorism. We found APHIS permitted transfers of select agents to\nunregistered entities due, in part, to the lack of communication about the entity\xe2\x80\x99s known security\nplan deficiencies. This occurred when the APHIS Plant Protection and Quarantine (PPQ) official\napproving the transfer did not communicate with the APHIS veterinary medical officer, who was\nresponsible for overseeing the entity before signing the transfer approval document (see Finding\n2).\n\n\n\n28\n   In a November 2, 2010, report, Recommendations Concerning the Select Agent Program (revised 12/20/2010 and\n1/10/2011), the FESAP recommended enhancing the SRA process for the select agent program to better assess\ncircumstances that would disqualify an individual from accessing or using select agents. In its Report of the\nWorking Group on Strengthening the Biosecurity of the United States, dated October 1, 2009, a Federal working\ngroup; which includes the Secretaries of Defense, HHS, State, Agriculture, Transportation, and Homeland Security,\nor their designees; found that restricting select agent access to only those who have passed an SRA is critical for\nstrengthening the United States\xe2\x80\x99 biosecurity. The group recommended that those with access to select agents should\nmeet high standards of reliability, which would prevent misuse by individuals with \xe2\x80\x9cnefarious intent.\xe2\x80\x9d\n29\n   NSAR is the database that APHIS and CDC use to input data regarding the select agent program; it includes the\ninformation about individuals that are authorized to use select agents.\n\n\n                                                                   AUDIT REPORT 33701-0001-AT                     9\n\x0cWe also found that SRAs were not up-to-date at four of the entities because the entities\xe2\x80\x99 ROs\nexpected APHIS to provide them notification when the renewals were due. However, the\nrenewal notifications were not always timely sent by APHIS because the errors and omissions in\nits list prevented APHIS from timely identifying individuals whose SRAs were expiring (see\nFinding 4).\n\nCommunication that provides accurate and reliable information is essential to ensure that those\ntasked with administering the select agent program at all levels understand their responsibilities\nand to ensure that decisions and actions affecting the program provide the best means of\npreventing unnecessary risks.\n\nAs noted in Finding 2, the branch chief of select agents for PPQ approved the transfer of the\nselect agents to an unregistered entity, and not the veterinary medical officer assigned\nresponsibility for the entity.30 The branch chief obtained CDC\xe2\x80\x99s concurrence on the transfer,\nwhich was required because Bacillus anthracis (anthrax) is an overlap agent that affects both\nhumans and animals and Yersinia pestis (plague) is a CDC select agent that may affect human\nhealth. Although the assigned veterinary medical officer had identified 27 deficiencies in the\nsecurity and incident response plans (i.e., the incident response plan did not address how the\nfacility would respond to events such as explosions, gas leaks, power outages, bomb threats, and\nsuspicious packages), at the time the transfer was approved, the branch chief and CDC approved\nthe transfer to the facility because they believed the facility was safe and secure for storing the\nselect agents. However, the unregistered entity did not address these issues until several months\nafter the transfer took place.\n\nIn Finding 4, an issue involved incorrect external communication provided to registered entities,\nwhich caused confusion regarding the responsibilities for monitoring and updating SRAs. We\nfound that SRAs for all authorized persons were not up-to-date at four of the entities because\nAPHIS was inconsistent in sending renewal notifications and did not adequately describe entity\nresponsibilities in guidance posted on its website. APHIS and CDC maintain a NSAR website\nthat provides information to registered entities to help them manage their select agents. Up until\nMay 2011, under the frequently asked questions section, the site stated that APHIS or CDC will\nprovide the RO with a list of individuals who need renewed SRAs. However, according to the\nprogram legislation, entities hold the responsibility for ensuring that SRAs are current\xe2\x80\x94not\nAPHIS. This web posting led ROs to believe that they did not need to take actions to monitor\ntheir employees\xe2\x80\x99 SRAs, because APHIS would do that for them. Since APHIS does not have an\neffective system for monitoring SRA expirations itself, the notices that it sent to ROs were often\nunreliable, compounding the problem.\n\nAn APHIS official told us that it is ultimately the entity\xe2\x80\x99s responsibility to ensure that all\nindividuals with access to select agents have an approved SRA. In May 2011, APHIS revised its\nwebpage to include a note stating that, \xe2\x80\x9cIt is the [RO\xe2\x80\x99s] responsibility to ensure all individuals\nlisted on the entity\xe2\x80\x99s registration are SRA approved.\xe2\x80\x9d However, we believe that this clarification\n\n30\n  Within APHIS\xe2\x80\x99 select agent program, there are four veterinary medical officers, each of whom is assigned\nresponsibility for overseeing designated registered entities possessing and using select agents affecting animals. For\nentities possessing only select agents affecting plants, the branch chief of select agents for PPQ would have\noversight responsibility.\n\n\n10      AUDIT REPORT 33701-0001-AT\n\x0cdoes not ensure that all registered entities are fully aware of their responsibilities. Many entities\nmay not know that the site has been corrected and, since APHIS is still sending out notices, they\nmay continue to believe that APHIS is tracking SRAs for them.\n\nIn summary, since our last audit, APHIS has established monitoring procedures and security\nchecklists and conducted inspector training, which were all designed to ensure legislative\nrequirements are met. However, the agency needs to improve ongoing monitoring procedures to\nensure that access and movement of select agents is done in a secure environment. APHIS also\nneeds to establish controls to ensure program risks are mitigated by monitoring whether security\nrisk assessments are performed as required. Finally, the agency needs to provide for good\ncommunication throughout APHIS and with registered entities to ensure that decisions and\nactions affecting the program provide the best means of preventing unnecessary risks.\n\nRecommendation 1\nRevise inspection procedures to include steps for sampling and reviewing access logs, access\nprivileges, and electronic entry records (if available) to ensure entities are adhering to restricted\naccess requirements, including log book documentation requirements.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with the recommendation. APHIS\xe2\x80\x99 current inspection procedures\n       include sampling and reviewing access logs, access privileges, and electronic entry\n       records during renewal inspections as well as annual compliance reviews. Select agent\n       inspector training provided by APHIS specifically addresses the process to examine\n       records and to compare those examinations with the list of authorized personnel.\n       However, APHIS will review the inspection checklists to determine if more specificity is\n       necessary. This review will be completed by December 3, 2012.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. In its response, APHIS\ndid not provide evidence to support that its inspection procedures included sampling and\nreviewing access logs, access privileges, and electronic entry records. APHIS did not provide\nevidence showing that its inspector training specifically addressed the process to examine those\nrecords and compare those examinations with the list of authorized personnel. During our audit,\nwe identified instances where unauthorized individuals were provided access, but such instances\nwere not detected during APHIS\xe2\x80\x99 inspections. APHIS\xe2\x80\x99s inspection checklists, which had been\nprovided to OIG during the audit, did not provide specific procedures for reviewing access logs,\nprivileges, or electronic entry records. Additionally, the inspector training material provided to\nOIG stated that inspectors should observe individuals entering secure areas, but did not instruct\nthe inspectors to examine previous log book entries or other documented entries such as\nelectronic keycard access records. To reach management decision, APHIS should include steps\nfor sampling and reviewing access logs, access privileges, and electronic entry records in its\n\n\n                                                          AUDIT REPORT 33701-0001-AT                11\n\x0cchecklists to ensure that entities are adhering to restricted access requirements, including\nrequirements for log book documentation.\n\nRecommendation 2\nRevise the checklists and guidance used by inspectors to include (1) steps to identify evidence of\nrequired training, including what documents are needed to verify an individual\xe2\x80\x99s understanding\nof the training, and (2) the scope of an inspector\xe2\x80\x99s training documentation review to identify the\nperiod of time for which training records were reviewed.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with the recommendation. Select agent inspector training\n       provided by APHIS specifically addresses the process to examine an entity\xe2\x80\x99s records to\n       ensure that the training requirements are fulfilled. APHIS inspectors review training\n       records typically from the date of the last inspection forward by both APHIS and ***\n       CDC on-site inspectors. APHIS will review the inspection checklists to determine if\n       more specificity is necessary. This review will be completed by December 3, 2012.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. During our audit, we\nidentified deficiencies in the training records maintained at each of the seven entities we visited.\nFurther, the training materials provided to OIG during the audit did not identify the scope of\nreview performed or what documents the inspectors reviewed to verify that individuals\nunderstood the training. To reach management decision, APHIS should (1) revise its inspection\nchecklist to record the scope of the review to identify the period of time for which training\nrecords were reviewed, and (2) revise the guidance used by inspectors to identify what\ndocuments are necessary to verify an individual\xe2\x80\x99s understanding of training; or provide details of\nhow its training specifically addresses the process to examine an entity\xe2\x80\x99s records, including\nidentifying what documents are required to be reviewed by inspectors to verify an individual\xe2\x80\x99s\nunderstanding of the training, to ensure that they training requirements are fulfilled.\n\nRecommendation 3\nDevelop and implement procedures to ensure that all affected parties receive communication of\nrelevant information regarding significant decisions, such as the approval of a transfer of a select\nagent, before such determinations are made.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n\n\n\n12     AUDIT REPORT 33701-0001-AT\n\x0c        APHIS does not concur with this recommendation. APHIS has a Standard Operating\n        Procedure [SOP] for transfers, titled \xe2\x80\x9cProcedure for Processing Request to Transfer\n        Select Agents and Toxins, APHIS/CDC Form 2,\xe2\x80\x9d which was approved January 16, 2011.\n        This document addresses how requests for transfers are communicated within APHIS and\n        CDC. Part of the transfer process includes reviewing whether APHIS movement permits\n        are valid for the recipient and sender of the select agent. If the transfer includes a CDC-\n        only select agent or toxin, CDC must approve the request. In the transfer case cited in the\n        OIG report, all procedures were followed correctly.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. The SOP cited states\nthat if the recipient entity is not registered to possess the select agent, do not approve the transfer.\nIn the case cited by OIG, the recipient entity did not possess a certificate of registration. Further,\nthe SOP cited addresses communications between APHIS and CDC, not communications that\noccur internally within APHIS, where we cited the discrepancy. To reach management decision,\nAPHIS should develop and implement procedures to ensure that all affected parties (both within\nAPHIS and outside of APHIS) receive communication of relevant information regarding\nsignificant decisions, such as the approval of a transfer of a select agent, before such a\ndetermination is made.\n\nRecommendation 4\nNotify each registered entity to clarify that its RO must ensure that SRA renewals are done\ntimely and not allowed to expire.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n        APHIS does not concur with the recommendation. APHIS notifies the *** RO of the ***\n        SRA expiration dates as a courtesy, and it is the ROs\xe2\x80\x99 responsibility to ensure that SRAs\n        are renewed on time. However, the Federal Select Agent Program (FSAP) will develop a\n        guidance document for ROs which will remind ROs that it is their responsibility to see\n        that employee SRAs are renewed in a timely fashion. This document will be completed\n        by December 3, 2012.\n\nOIG Position\nAlthough APHIS does not agree with this recommendation, its proposed corrective action to\ndevelop guidance for ROs to remind them of their responsibility to see that SRAs are renewed\ntimely is sufficient to reach management decision. Therefore, we accept management decision\nfor this recommendation.\n\n\n\n\n                                                           AUDIT REPORT 33701-0001-AT                13\n\x0cSection 2: Registered Entity Compliance Issues\n\nFinding 2: APHIS Allowed Transfers of Select Agents to Unregistered\nEntities Without Approved Security Plans\nAPHIS permitted select agent transfers to two unregistered entities that had either not yet been\ninspected or where inspections had revealed deficiencies in the entity\xe2\x80\x99s security or incident\nresponse plans.31 In both cases, a registered entity was relocating to a new facility that was not\nyet approved for the select agent program. APHIS officials explained that this occurred because\nthe registration process for an entity can at times be lengthy if the entity has areas in the facility\nthat are not yet complete and APHIS did not foresee circumstances where select agents might\nneed to be transferred to a new facility owned by a registered entity before the new facility\nbecame fully registered. Therefore, APHIS had not established written policies and procedures\nto identify under what special circumstances, such as relocating to a new facility or temporarily\ntransferring select agents to another location that is not registered while the entity makes\nemergency repairs to existing facilities, an unregistered entity may be allowed to store select\nagents. Because APHIS did not have assurance that the new facilities met safety and security\nrequirements, the risk of theft, loss, or release of select agents increased.\n\nProgram regulations state that select agents may only be transferred to registered individuals or\nentities.32 In order to transfer select agents, the entity receiving the agents must submit a request\nform providing the names and quantities of the select agents or toxins being transferred, as well\nas the sender\xe2\x80\x99s name, address, and telephone number. APHIS evaluates the request and\ndetermines whether it will allow the transfer.\n\nAPHIS authorized two entities to transfer their inventories\xe2\x80\x94which included Bacillus anthracis,\nYersinia pestis, and BSE\xe2\x80\x94to unregistered facilities that had submitted security and incident\nresponse plans, but had not yet received approval for the plans. We did note that in both cases,\nAPHIS authorized only the storage of select agents in the unregistered facilities, but not their\nuse.\n\nIn the first case, APHIS had identified 27 issues in the entity\xe2\x80\x99s incident response and security\nplans that needed correction. For instance, the incident response plan did not address how the\nfacility would respond to events such as explosions, gas leaks, power outages, bomb threats, and\nsuspicious packages.33 However, APHIS did not communicate these deficiencies to the entity\n\n\n\n\n31\n   An entity (corporation, university, or other) may have multiple facilities under its purview; however, each facility\nis, by itself, a separate registered entity.\n32\n   7 CFR 331.16, 9 CFR 121.16, and 42 CFR 73.16.\n33\n   Regulations require that entities have an incident response plan in place that describes an entity\xe2\x80\x99s response\nprocedures for events such as bomb threats, suspicious packages, and emergencies \xe2\x80\x93 such as fires, gas leaks,\nexplosions, and power outages.\n\n\n14      AUDIT REPORT 33701-0001-AT\n\x0cuntil 2 months after the select agents were transferred.34 The entity eventually resolved the\nissues, and APHIS approved the registration 7 months after the agents were transferred there. 35\n\nIn the second case, the entity\xe2\x80\x99s RO requested, on November 26, 2008, that APHIS allow the\ntransfer of BSE to the new facility prior to registration because the lease at the old facility was\nexpiring at the end of 2008. APHIS approved the transfer on December 2, 2008\xe2\x80\x94but had yet to\nperform the inspection of the new facility. Additionally, APHIS did not require the entity to\ncomplete a transfer request form. Given the risks that select agents pose to human, animal, and\nplant health, APHIS should take steps to ensure the transfers are made only to entities that have\nmet the safety and security requirements established in the regulations.\n\nOverall, APHIS does not have written policies and procedures in place to allow the transfer of\nselect agents under special circumstances. In the two cases we found, APHIS required one entity\nto submit a transfer request form, while instructing the other entity that a transfer request form\nwas not required. This illustrates the need for written, formal guidance on the subject. APHIS\nofficials acknowledged the need for policies covering select agent transfers made under special\ncircumstances. To address this issue, we understand that APHIS is working with the CDC to\ndevelop formal procedures to allow either a temporary registration or a partial registration, such\nas authorizing an entity only to store a select agent in a designated room.\n\nRecommendation 5\nEstablish policies and procedures for handling requests from registered entities to transfer select\nagents, under special circumstances, such as when an entity must relocate to facilities that are not\nregistered with the select agent program.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n         APHIS concurs with this recommendation. The FSAP will develop a section of the\n         registration form for entities to register for storage only. FSAP will also develop\n         guidance for inspectors and entities on the requirements for such facilities. These actions\n         will be completed and implemented by September 30, 2013.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. Although we agree with\nAPHIS\xe2\x80\x99 proposal to develop a section of the registration form for entities to register for storage\nonly and develop guidance for inspectors and entities on the requirements for such facilities,\nAPHIS does not explain how this proposal relates to the transfer of select agents, under special\ncircumstances, to an unregistered facility. To reach management decision, APHIS needs to\n34\n   The entity transferred the select agents and toxins to the new facility on February 27, 2008; however, APHIS did\nnot notify the entity of the deficiencies until April 17, 2008.\n35\n   APHIS authorized the transfer of the select agents on February 19, 2008; however, it approved the registration of\nthe new facility on September 22, 2008.\n\n\n                                                                   AUDIT REPORT 33701-0001-AT                     15\n\x0cexplain how the registration for storage only relates to the transfer of select agents, under special\ncircumstances, to an unregistered facility and how the guidance being developed for inspectors\nand entities relates to the process.\n\n\n\n\n16     AUDIT REPORT 33701-0001-AT\n\x0cFinding 3: Entities Did Not Adhere to Access Security Requirements\nThree of the seven entities we reviewed allowed unauthorized individuals unescorted access to\nareas registered for use or storage of select agents. In addition, one of these three entities did not\nmaintain a logbook identifying names of unauthorized individuals who accessed areas containing\nselect agents. This occurred because entities believed that these individuals did not have access\nto select agents because APHIS\xe2\x80\x99 guidance did not clearly define what is meant by \xe2\x80\x9caccess\xe2\x80\x9d to\nselect agents, leading entities to interpret the guidance contrary to APHIS\xe2\x80\x99 intent.36 Although the\nunauthorized access instances we found did not involve direct access to select agents, the lack of\ncompliance with access security requirements increases the risk that unauthorized individuals\ncould acquire access and potentially misuse select agents.\n\nIndividuals accessing select agents must undergo an SRA and be approved by APHIS (hereafter\nreferred to as \xe2\x80\x9cSRA approval\xe2\x80\x9d).37 Anyone without SRA approval is considered unauthorized,38\nand may not access select agents.39 Registered entities must also maintain information about all\nentries into areas containing select agents, including the names, names of escorts (if applicable),\nand the dates and times of entry.40\n\nIn one case, a company that was registered to work with select agents such as Bacillus anthracis\nand Yersinia pestis, allowed an unauthorized individual keycard access to a lab space registered\nfor select agent use. The person in question was a scientist who worked in the same facility, but\ndid not have SRA approval. As a result, the unauthorized scientist could enter the space\nregistered for select agent use at any time.41 Facility officials said that select agents were not in\nuse in the registered area when the scientist entered, and therefore they did not think this was a\nviolation of regulations. However, this policy contradicts the company\xe2\x80\x99s security plan, which\nstates that only SRA-approved persons would have unescorted access to areas where select\nagents are used or stored. As a result of our finding, APHIS officials conducted a review of the\ncompany and determined that it was in violation of regulations.\n\nThe two other entities in question gave maintenance workers who were not SRA approved\nunescorted access to areas registered for select agent use. In one case, a company, which works\nwith highly pathogenic avian influenza,42 allowed maintenance workers key card access to the\nregistered area while the facility was temporarily shut down for maintenance. The RO at the\ncompany stated that, since the facility was shut down and select agents were not in use, he did\nnot believe that the individuals had access to select agents. However, the company\xe2\x80\x99s security\n\n36\n   APHIS officials stated their intent was that no unauthorized individuals (individuals without an approved SRA)\nshould be allowed into any area registered for select agent use\xe2\x80\x94regardless of whether the agents were present or\nnot\xe2\x80\x94unless such access is granted for a specific purpose and documented in an APHIS-approved security plan.\n37\n   7 CFR 331.10(a) and (b) and 9 CFR 121.10(a) and (b).\n38\n   APHIS/CDC Guidance, Select Agents and Toxins: Security Information Document, dated March 8, 2007.\n39\n   7 CFR 331.10(a) and 9 CFR 121.10(a).\n40\n   7 CFR 331.17(a)(4) and 9 CFR 121.17(a)(4).\n41\n   An entity must identify specific areas where select agents will be used or stored. This may include only one room\nof a facility, several rooms, an entire building, or multiple buildings. As such, we use the term \xe2\x80\x9cregistered area\xe2\x80\x9d to\nidentify those area(s) in which the entity is approved to use or store select agents.\n42\n   Highly pathogenic avian influenza, also called \xe2\x80\x9cbird flu,\xe2\x80\x9d is a virus that infects birds and can affect humans. It is\nhighly contagious among birds and can result in high mortality rates among birds, especially chickens and turkeys.\n\n\n                                                                     AUDIT REPORT 33701-0001-AT                      17\n\x0cplan stated that maintenance would be performed by SRA-approved individuals or unapproved\nindividuals would be escorted. As such, the company was not complying with its own security\nplan.\n\nAdditionally, the entity maintained a sign-in book at the front door of the facility to document\nvisitors; however, the book did not identify who accessed areas where select agents were used or\nstored, when such access occurred, or the name of that person\xe2\x80\x99s escort. The staff of the facility\ndid not view this as noncompliance with regulations because they used electronic access records\nto document entry into areas containing select agents. However, this system does not capture\nwhen individuals without keycard access accompany individuals into areas where select agents\nare used. Thus, the company did not comply with select agent regulations which require a\nregistered entity to maintain documentation that includes the name, name of escort (if\napplicable), date, and time of entry for all entries into spaces containing select agents.\n\nIn the second case, the company, which works with BSE, sought and received APHIS\xe2\x80\x99 approval\nto allow unescorted access by maintenance workers. However, the company did not revise its\nsecurity plan to identify that it would allow unescorted access by workers who did not have SRA\napproval, nor to identify the additional security measures that would be implemented during the\ntime such access was permitted. In addition, APHIS did not require the company to revise its\nsecurity plan to reflect that it would allow access by these unauthorized individuals or identify\nwhat additional security measures would be implemented. The revised security plans should\nhave reflected the circumstances under which access could occur and the additional security\nmeasures that would be in place during that time, such as removing all select agents from the\narea, decontaminating the area before access was granted, and restricting access to other areas\nregistered for select agent use or storage.\n\nIn these two latter cases, an APHIS official acknowledged that the security plans should have\nbeen revised prior to allowing unescorted access by maintenance personnel. However, since\nthere were no select agents present when the maintenance was performed and the one company\nhad sought permission to allow unescorted individuals in the registered area, the risk relating to\nthis access was minimal. Although one company sought APHIS\xe2\x80\x99 approval for unescorted\nmaintenance (for painting) in a September 24, 2010, letter, APHIS\xe2\x80\x99 September 27, 2010,\nresponse approving the request did not inquire as to what maintenance procedures were included\nin the company\xe2\x80\x99s security plans or attempt to determine whether a change was needed in the\ncompany\xe2\x80\x99s security plan to address future maintenance needs.\n\nThese first two cases occurred because companies did not believe that the individuals had access\nto select agents because APHIS had not clearly defined what is meant by \xe2\x80\x9caccess\xe2\x80\x9d to select\nagents. The regulations state that an individual has access if the individual has possession of the\nselect agent or the \xe2\x80\x9cability to gain possession\xe2\x80\x9d of a select agent. However, the term \xe2\x80\x9cability to\ngain possession\xe2\x80\x9d is not defined. Therefore, the entities in the first two cases believed that, as\nlong as select agents were not in use or stored in the registered area when unauthorized\nindividuals entered, it was acceptable to allow access. However, because select agents may be\nbrought into the registered space at any time, individuals with keycard access to these areas\ncould potentially have access to select agents.\n\n\n\n\n18     AUDIT REPORT 33701-0001-AT\n\x0cAPHIS officials stated that their intent was that no unauthorized individuals should be allowed\ninto any area registered for select agent use\xe2\x80\x94regardless of whether the select agents were\npresent or not\xe2\x80\x94unless such access was granted for a specific purpose and documented in an\nAPHIS-approved security plan.\n\nGenerally, we found that registered entities are not always following their approved security\nplans when permitting access to areas where select agents are used or stored, even though these\nplans were appropriately designed to comply with regulations in prohibiting access to areas\nwhere select agents were used and/or stored. To ensure that registered entities understand their\nresponsibilities, fully comply with access requirements, and adequately secure select agents,\nAPHIS should clarify its guidance. APHIS officials agreed that they could issue guidance to\nclarify access requirements.\n\nRecommendation 6\nProvide guidance to registered entities that clarifies the restricted access requirements for select\nagent registered space. Specifically, the guidance should (1) clearly define \xe2\x80\x9caccess\xe2\x80\x9d and the\nmeaning of \xe2\x80\x9cability to gain possession,\xe2\x80\x9d and (2) clarify whether access is prohibited to all areas\nregistered for select agent use, storage, and transfer, and include examples of appropriate and\ninappropriate access control scenarios.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS concurs with this recommendation. APHIS will clarify \xe2\x80\x9caccess\xe2\x80\x9d and \xe2\x80\x9cability to\n       gain possession\xe2\x80\x9d in its security plan guidance document and escort policy guidance\n       document. These documents will be revised by June 28, 2013.\n\nOIG Position\nWe accept management decision for this recommendation.\n\nRecommendation 7\nEnsure that the company, which allowed the scientist who was not SRA approved, restricts\naccess to that individual or obtains appropriate approvals to allow that individual to have access\nto select agent registered space.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       Shortly after OIG advised us of this incident, APHIS sent an inspection team, that also\n       included APHIS Investigative and Enforcement Services, to review the incident.\n\n\n\n                                                          AUDIT REPORT 33701-0001-AT               19\n\x0c       APHIS subsequently issued a letter of warning to the entity on February 3, 2012. The\n       entity has assured APHIS in writing that the individual no longer has access to the\n       registered space.\n\nOIG Position\nWe are unable to accept management decision for this recommendation. In the recommendation\nwe ask that APHIS ensure that the entity has either restricted that individual\xe2\x80\x99s access or obtained\napproval to allow the individual to have access to the registered space. While we appreciate\nAPHIS\xe2\x80\x99 actions in investigating the matter promptly, APHIS has not ensured that the individual\nno longer has access to the registered space. To reach management decision, APHIS needs to\nverify that the individual no longer has access to the registered space.\n\nRecommendation 8\nRequire the company that allowed unapproved maintenance workers keycard access for select\nagent areas to revise its security plan to reflect how it provides access to registered areas for\nconducting maintenance activities.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with the recommendation. In Title 9 of the Code of Federal\n       Regulations (CFR) section 121.11(c) and 7 CFR 331.11(c), the select agent regulations\n       state that entities must specify in their security plan provisions for controlling access to\n       select agents and toxins and provisions for routine cleaning, maintenance, and repairs. In\n       the specific instance cited above, the entity had removed select agents from the registered\n       area; therefore, the maintenance workers did not have access to select agents. The\n       entity\xe2\x80\x99s security plan properly identifies procedures for access and escort of non-SRA\n       personnel in areas where there is the potential for access to select agents. Therefore,\n       changes are not needed to the entity\xe2\x80\x99s security plan.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. The regulations cited by\nAPHIS above are comprised of two distinct requirementsthe security plan must: (1) contain\nprocedures for the control of access to select agents and toxins and (2) contain provisions for\nroutine cleaning, maintenance, and repairs. We agree that the entity\xe2\x80\x99s security plan included\nboth these elements. However, the entity was not conducting its cleaning, maintenance, and\nrepairs in accordance with its written security plan. Because operating in a manner that is\nincongruent with its written security plan could give rise to additional security and safety risks,\nthe security plan should be revised to reflect how the entity actually conducts its maintenance,\ncleaning, and repairs. This will allow APHIS to ensure that appropriate controls are in place to\nensure the security of the select agents and safety of those performing the cleaning, maintenance,\n\n\n\n20     AUDIT REPORT 33701-0001-AT\n\x0cand repairs. To reach management decision, APHIS needs to require the company in question to\nrevise its security plan to reflect how it performs it cleaning, maintenance, and repair activities.\n\nRecommendation 9\nDetermine whether the company that sought permission to allow unescorted access by\nunapproved maintenance workers continues to engage in the practice of allowing unescorted\naccess. If so, require the company to revise its security plan to include a provision to allow\nunescorted maintenance workers and describe the types of additional security measures to be\nimplemented when unescorted persons are present.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with this Recommendation. Regulations in 9 CFR 121.11(c) and\n       7 CFR 331.11(c) state that entities must specify in their security plan provisions for\n       controlling access to select agents and toxins and provisions for routine cleaning,\n       maintenance, and repairs. In the specific instance cited above, the entity had removed\n       select agents from the registered area; therefore, the maintenance workers did not have\n       access to select agents. The entity\xe2\x80\x99s security plan properly identifies the procedures for\n       access and escort of non-SRA personnel in areas where there is the potential for access to\n       select agent regulations. Therefore, changes are not needed to the entity\xe2\x80\x99s security plan.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. The regulations cited by\nAPHIS are comprised of two distinct requirements; the security plan must (1) contain procedures\nfor the control of access to select agents and toxins and (2) contain provisions for routine\ncleaning, maintenance, and repairs. We agree that the entity\xe2\x80\x99s security plan included both these\nelements. However, the entity was not following the procedures in its written security plan. To\nreach management decision, APHIS needs to determine whether the entity is now following its\nwritten security plan. If not, the entity should be required to revise its security plan to reflect\nactual procedures for cleaning, maintenance, and repairs.\n\n\n\n\n                                                         AUDIT REPORT 33701-0001-AT               21\n\x0cFinding 4: Persons with Access to Select Agents Did Not Possess Updated\nSRAs\nFour of the seven entities we reviewed allowed individuals with expired SRAs continued access\nto select agents. Individuals identified by an entity as having a legitimate need to handle or use\nselect agents must undergo an SRA by CJIS and may not access select agents unless approved.\nSRAs are valid for a maximum of 5 years.43 While Federal regulations place the ultimate\nresponsibility with the entity,44 we found entity officials were not tracking when individual SRAs\nexpired. Entity officials told us that they relied on APHIS to notify them that SRA renewals\nwere needed. An APHIS official stated that the agency only provided the notices as a courtesy\nand expected entities to ensure that SRAs were timely renewed, even in the absence of\nnotification from APHIS. However, as we discuss in Finding 1, APHIS\xe2\x80\x99 expectation of the\nentities was unclear, in that APHIS\xe2\x80\x99 procedures stated that it would notify the entity\xe2\x80\x99s RO when\nrenewals were needed.\n\nAPHIS officials stated that the tracking process to identify expiring SRAs requires staff to\nmanually compare information from two separate systems to create the list of expiring SRAs.\nBecause this is a manual process, there is a higher risk of errors and omissions. In fact, we found\nthe notifications APHIS provided to the ROs were not always accurate or timely. We identified\na total of 11 SRA approvals that were not renewed or cancelled for time periods ranging from\n14 to 478 days (see exhibit A for detail of lapses). We discovered this by obtaining the entities\xe2\x80\x99\nlists of persons approved for select agent access, and then reviewing the date when each person\xe2\x80\x99s\nSRA was set to expire. Once their SRA expired, 10 of these individuals continued to have\naccess to select agents for periods between 14 to 302 days before their SRA was successfully\nrenewed. The other person continued to have access from the time his approval expired until\n19 days later when he retired. However, the RO at this entity did not notify APHIS of the access\ntermination until 478 days after the SRA had expired.\n\nBecause of the potential for a change in an individual\xe2\x80\x99s classification to a restricted category\nafter being approved for access to select agents, an SRA must be renewed periodically to ensure\nthat a person can still safely possess, use, and transfer select agents.45 For instance, the SRA\nprocess restricts access for an individual convicted in any court of a crime punishable by a prison\nterm exceeding 1 year, or an individual who has been committed to a mental institution. For the\nperiod of our review, SRA approval was valid for a maximum of 5 years,46 after which the SRA\nmust be renewed.47 When an entity terminates a person\xe2\x80\x99s access to select agents, the RO must\nnotify APHIS immediately and provide the reasons for termination.48 If SRAs are not renewed\nin a timely manner and individuals continue to have access to select agents, it increases the risk\nthat the select agents could be intentionally misused or diverted for unauthorized purposes.\n43\n   7 CFR 331.10(g) and 9 CFR 121.10(g). Effective June 1, 2011, APHIS revised the maximum period of time for\nwhich an SRA is valid to 3 years.\n44\n   7 CFR 331.10(a) and 7 CFR 331.9(a)(4); 9 CFR 121.10(a) and 9 CFR 121.9(a)(4); and 42 CFR 73.10(a) and\n42 CFR 73.9(a)(4).\n45\n   Report of the Working Group on Strengthening the Biosecurity of the United States, dated October 1, 2009.\n46\n   Effective June 1, 2011, APHIS and CDC require that SRAs must be renewed every 3 years, instead of every\n5 years.\n47\n   7 CFR 331.10(h), 9 CFR 121.10(i), and 42 CFR 73.10(i).\n48\n   7 CFR 331.10(i), 9 CFR 121.10(j), and 42 CFR 73.10(j).\n\n\n22     AUDIT REPORT 33701-0001-AT\n\x0cSRAs are a key security measure for the select agent program. APHIS must create a reliable list\nto serve as the foundation of its SRA approval monitoring efforts. APHIS must also ensure that\nROs accurately track their employees\xe2\x80\x99 SRA approvals and timely renew them before they expire.\nWe understand APHIS is now working to automate its list compilation process to ensure\naccuracy, as well as more timely notification to the ROs.\n\nRecommendation 10\nDevelop and implement policies and procedures for monitoring ROs to ensure the ROs are\nseeking timely renewals or terminations of individuals\xe2\x80\x99 SRAs.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with the recommendation. APHIS will analyze the discrepancies\n       provided by OIG to determine the reasons for possible lapses in individual\xe2\x80\x99s SRAs. If\n       needed, we will develop processes to address these lapses. The analysis will be\n       completed by December 3, 2012.\n\nOIG Position\nWe are unable to accept management decision for this recommendation. Because APHIS is\nresponsible to ensure that entities are complying with program requirements, the agency needs to\nmonitor the ROs to ensure that they are renewing or terminating each individual\xe2\x80\x99s SRA, as\nappropriate. To reach management decision, APHIS needs to develop and implement policies\nand procedures for monitoring ROs to ensure that the ROs are seeking timely reviews or\nterminations of individuals\xe2\x80\x99 SRAs.\n\n\n\n\n                                                       AUDIT REPORT 33701-0001-AT             23\n\x0cFinding 5: Responsible Officials and Employees Lacked Required Biosafety\nand Security Training\nFive of the seven entities\xe2\x80\x99 ROs or alternate ROs did not have documentation of their required\nbiosafety or biocontainment and security training. ROs and alternate ROs serve as select agent\nregulations experts in their respective entities, and often train their staff in safety and security\nmeasures. Although APHIS requires all individuals with access to select agents, including the\nRO and alternate RO, to have annual training on biosafety and security, APHIS did not require\nROs or alternate ROs to have specific training related to their select agent program oversight\nresponsibilities. The ROs and alternate ROs did not always comply with the select agent\nregulations in the maintenance of required training documentation to evidence training provided.\nFurther, without appropriate training, ROs or alternate ROs could be providing incorrect or\nincomplete information to their employees. Additionally, all seven entities either did not ensure\nthat all employees received the required annual training, or did not maintain complete training\nrecords for their employees, including evidence that the employees understood the training\nreceived. In 2 cases, entities did not provide training to all 58 individuals for 1 year. If training\nis not routinely conducted or is not understood, individuals working with select agents could\ndevelop critical knowledge gaps. These lapses in program training heighten the risk that\nindividuals could hurt themselves or damage public, plant, or animal health if they mishandle a\nselect agent or inadvertently cause a security breach.\n\nEntities must provide biosafety or biocontainment and security training to each SRA-approved\nperson before he/she can gain access to select agents, and refresher training annually thereafter.49\nEntities must also maintain records, including the date and description of the training, as well as\nthe means used to verify that the individual understood the training (such as a quiz or test).50\nThese records must be maintained for 3 years.51\n\nResponsible Officials\xe2\x80\x99 Training\n\nAt five of the seven entities we visited, the RO or alternate RO did not document that they\nreceived or understood the required training in biosafety or biocontainment and security. They\nstated that APHIS had not provided guidance as to how ROs and alternate ROs were to meet the\ntraining requirements or how they were to document their training when they served as the\nsubject matter expert and provided the training to other staff. Further, we noted that APHIS has\nnot required any specific training for the ROs or alternate ROs to ensure that those responsible\nfor implementing and overseeing the select agent programs at the registered entities have the\nknowledge necessary to effectively oversee the program. During our audit, we noted certain\nissues, which highlighted the need for training specifically focused on ensuring that ROs and\nalternate ROs are aware of select agent program requirements. For example, as we discussed in\nFinding 3, not all ROs clearly understood that only individuals with an SRA approval may have\naccess to areas where select agents are used or stored. Additionally, as we discussed in\nFinding 4, ROs were relying on APHIS to notify them when an individual\xe2\x80\x99s SRA was due to\nexpire, instead of monitoring that themselves and ensuring timely renewals. Without appropriate\n49\n   7 CFR 331.15, 9 CFR 121.15, and 42 CFR 73.15.\n50\n   APHIS/CDC Guidance, Select Agents and Toxins, Security Information Document, March 8, 2007.\n51\n   7 CFR 331.17(c), 9 CFR 121.17(c), and 42 CFR 73.17(c).\n\n\n24     AUDIT REPORT 33701-0001-AT\n\x0ctraining, ROs could be providing incorrect or incomplete information to their employees, thus\nheightening the risk to the health of persons, plants, or animals.\n\nAPHIS acknowledged that it has not issued specific training requirements for ROs. However, on\nOctober 3, 2011, APHIS issued a proposed rule that will require ROs to possess appropriate\ntraining or expertise to ensure that the entity they oversee meets the requirements of the\nregulations. In addition, APHIS officials stated that, as a result of our concerns, they have\ndiscussed developing training specifically for ROs to ensure that ROs are knowledgeable of\nselect agent program requirements, but, due to other priorities, they have yet to develop the\ntraining.\n\nTraining Other Authorized Persons\n\nAll seven entities did not maintain complete training records for all approved individuals or\nensure that all individuals received the required training. For example, 2 entities did not provide\nthe required annual training to any of the 58 persons registered to work with select agents for\n1 of the 3 years that we reviewed. For one of these cases, the RO stated that he did not know\nwhy training was not provided because he was not the RO during that year. At the other, the RO\nstated that, instead of providing formal training, the staff read the standard operating procedures;\nhowever, this did not include a procedure to ensure that the person receiving the training\nunderstood the training, which is part of the training requirements.\n\nGenerally, where entities did not have complete records to document the required training, it was\nbecause they had not retained the required records. In one instance where the entity did not\nmaintain records for the 3-year period required by APHIS regulations, the RO stated that it was\nbecause the entity\xe2\x80\x99s computer system purged the training records after 12 months. At another\nentity where they did not require all SRA-approved individuals to attend training, the RO said\nthat the three SRA-approved individuals that did not receive training did not routinely access\nselect agents, or were escorted when they were in the presence of select agents. However,\nAPHIS regulations require that all individuals, whether SRA-approved or not, receive training\nprior to entering areas where select agents are used or stored.\n\nRecommendation 11\nDevelop and conduct training for all ROs and alternate ROs that provides the information\nnecessary to effectively oversee the select agent program. The session should provide a method\nof assessing that ROs and alternate ROs understood the training.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with this Recommendation. The FSAP held workshops on RO\n       duties and responsibilities on November 16, 2011; May 10, 2011; June 15, 2010; August\n       12, 2009; and December 9, 2008. We will hold another workshop for ROs on November\n       16, 2012. A training requirement for ROs and alternate ROs was included in the\n\n\n                                                         AUDIT REPORT 33701-0001-AT               25\n\x0c       proposed rule published in December 2011, titled \xe2\x80\x9cAgricultural Bioterrorism Protection\n       Act of 2002; Biennial Review and Republication of the Select Agent and Toxin List;\n       Amendments to the Select Agent and Toxin Regulations.\xe2\x80\x9d The public comments we\n       received did not support such a requirement. However, FSAP will develop a guidance\n       document that describes RO responsibilities; this will be completed by December 3,\n       2012.\n\nOIG Position\nWe are unable to reach management decision for this recommendation. Although the workshops\nfor ROs are beneficial, as would be a guidance document, they do not provide the same level of\nassurance that the ROs and alternate ROs are adequately knowledgeable of select agent\nregulations as would specific training, especially when the training is accompanied by a method\nfor assessing that the ROs and alternate ROs understood the training. We reviewed the 65 public\ncomments related to the proposed rule on Regulations.gov and found that 2 of the 65 comments\nfavored \xe2\x80\x9cmandatory\xe2\x80\x9d periodic training of personnel working with and responsible for biosafety\nand biosecurity. To reach management decision, APHIS should develop and conduct training for\nall ROs and alternate ROs to provide the information necessary to effectively oversee the select\nagent program. This training should include a method of assessing the ROs and alternate ROs\nunderstanding of the training.\n\nRecommendation 12\nProvide guidance to each RO re-emphasizing the requirement that biosafety and security training\nmust be provided to and documented for all authorized individuals with access to select agents.\nThe guidance should state that documentation of the training must include the name of the\nattendee, a description of the training, date of the training, and the means used to verify that the\nemployee understood the training. The guidance should also state that these records must be\nmaintained for 3 years.\n\nAgency Response\nIn its September 28, 2012, response APHIS stated:\n\n       APHIS does not concur with this Recommendation. The current regulations in 9 CFR\n       121.15(c) and 7 CFR 331.15(c) already require that documentation of the training include\n       the name of the attendee, a description of the training, date of the training, and the means\n       used to verify that the employee understood the training. The 3-year records retention is\n       also a requirement in 9 CFR 121.17(c) and 7 CFR 331.17(c). We will re-emphasize the\n       training requirements in the RO guidance document that will be finalized by December 3,\n       2012. (This guidance document is the same document mentioned in Recommendations 4\n       and 11.) These requirements will also be specified in the security guidance document\n       that will be developed by December 3, 2012.\n\n\n\n\n26     AUDIT REPORT 33701-0001-AT\n\x0cOIG Position\nAlthough APHIS does not agree with this recommendation, its proposed corrective action to re-\nemphasize the training requirements in the RO guidance document is sufficient to reach\nmanagement decision. We accept management decision for this recommendation.\n\n\n\n\n                                                      AUDIT REPORT 33701-0001-AT            27\n\x0cScope and Methodology\nThis is our follow up audit to Phases I and II of APHIS\xe2\x80\x99 implementation of the select agent\nprogram to determine whether APHIS\xe2\x80\x99 new controls are effectively ensuring that registered\nentities are complying with governing regulations.52 We examined registered entities\xe2\x80\x99\ncompliance with the select agent regulations and assessed APHIS\xe2\x80\x99 oversight of the entities from\nMarch 2010 through January 2012.\n\nWe conducted fieldwork at APHIS Headquarters in Riverdale, Maryland, and at seven\njudgmentally selected registered entities,53 reviewing program operations from calendar year\n2007 through January 2012. We judgmentally selected 7 entities from the universe of\n59 registered entities54 that were registered as of May 2010 for review, based on knowledge from\nprevious audits, the types of select agents possessed by entities, geographic considerations, and\nentity type (e.g., commercial, non-profit, etc.). We used a judgmental sample so that we could\nreview entities with a variety of select agents and security measures. Our sample of seven\nconsisted of one academic institution, two commercial entities, two Federal entities, one State\nentity, and one privately-held entity. Because we did not use a statistical sample, we cannot\nproject our results to the universe of registered entities.\n\nTo accomplish our audit objectives, we performed the following steps at APHIS headquarters:\n\n     \xc2\xb7   Reviewed corrective actions implemented as a result of our prior audits.\n     \xc2\xb7   Interviewed APHIS officials from both Veterinary Services and PPQ to determine what\n         roles Veterinary Services and PPQ have in the select agent program.\n     \xc2\xb7   Interviewed personnel from APHIS\xe2\x80\x99 Investigative and Enforcement Services to\n         determine what role Investigative and Enforcement Services has in the select agent\n         program.\n     \xc2\xb7   Interviewed APHIS officials to determine agency procedures for coordinating with the\n         CDC for activities, such as entity registration and certification, inspection, and\n         enforcement activities.\n     \xc2\xb7   Interviewed APHIS officials to determine registration, renewal, and amendment policies;\n         inspection types; transfer policies; and theft, loss, and release policies.\n\n\n\n52\n   APHIS Evaluation of the Implementation of the Select Agent or Toxin Regulations, Phase I (33601-0002-AT,\nJune 23, 2005) and APHIS Evaluation of the Implementation of the Select Agent or Toxin Regulations, Phase II\n(33601-0003-AT, January 17, 2006).\n53\n   Our sample included 10 judgmentally selected entities, but due to budget constraints, 3 of the selected entities\nwere eliminated from the review.\n54\n   The 59 registered entities consisted of 8 Federal governmental entities, 7 State governmental entities, 21 academic\ninstitutions, 21 commercial entities, and 2 private entities. As of May 2012, the number of registered entities had\ndeclined to 50 because some entities withdrew from the Select Agent Program, while others are now registered\nunder CDC\xe2\x80\x99s Select Agent Program, due to a change in the select agents they process.\n\n\n28       AUDIT REPORT 33701-0001-AT\n\x0c   \xc2\xb7   Examined registration files and security, biocontainment, biosafety, and incident response\n       plans for the seven selected entities.\n\nAt the seven selected entities, we performed the following steps:\n\n   \xc2\xb7   Interviewed the ROs and alternate ROs to gain an understanding of each entity\xe2\x80\x99s\n       implementation of select agent program regulations, as well as compliance with the\n       regulations.\n   \xc2\xb7   Evaluated security, biocontainment, biosafety, and incident response plans. We\n       examined each plan to ensure it included procedures for inventory control; physical\n       security; personnel security and suitability; accountability for select agents; security\n       training; transfer of select agents; response to emergencies; and reporting incidents,\n       injuries, and breaches.\n   \xc2\xb7   Evaluated the entities\xe2\x80\x99 policies and procedures for restricting access to select agents,\n       inventory control, transferring select agents, and notifying APHIS in the event of a theft,\n       loss, or release.\n   \xc2\xb7   Evaluated physical security measures in place for each laboratory where select agents\n       were stored and/or used.\n   \xc2\xb7   Assessed the accuracy, adequacy, and completeness of the records required by each RO\n       including:\n           o   security, biocontainment/biosafety, and incident response plans;\n           o   site-specific risk assessments;\n           o   training records;\n           o   authorized individuals;\n           o   security records (e.g., transactions from access control systems, visitor logs, etc.);\n           o   inventory records (including select agent source and characteristic data); and\n           o   transfer documents issued by APHIS or CDC.\n\nWe conducted this audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our audit findings and conclusions based on our audit\nobjectives. We believe that the evidence we obtained provide a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\n\n\n\n                                                         AUDIT REPORT 33701-0001-AT                29\n\x0cExhibit A: Summary of SRA Renewal Deficiencies\nExhibit A identifies the number of days that elapsed between the date that the individual\xe2\x80\x99s SRA\nexpired and the date that the individual\xe2\x80\x99s SRA was renewed, or the date that the individual\xe2\x80\x99s\nname was submitted to APHIS to be removed from the list of approved users of select agents.\nThe first column identifies the entity at which this was observed; the second column identifies\nthe employee sample number; the third column provides the date the SRA expired; the fourth\ncolumn identifies the date the individual\xe2\x80\x99s SRA was renewed and/or was removed from the list\nof authorized users of select agents; and the fifth and final column identifies the number of days\nthat elapsed between the SRA expiration and SRA renewal (or removal from list of authorized\nusers).\n\n                 Individual with      SRA Expiration          Approval (A)/              Days\n     Entity\n                  Expired SRA              Date              Removal (R) Date           Lapsed\n     Entity 1      Employee 1           03/22/2010            08/20/2010 (A)             151\n     Entity 1      Employee 7           06/22/2010            09/20/2010 (A)             110\n     Entity 1     Employee 26           11/02/2010            11/16/2010 (A)              14\n     Entity 1     Employee 29           12/17/2009            08/20/2010 (A)             246\n     Entity 3      Employee 8           05/12/2010            09/22/2010 (A)             133\n     Entity 3     Employee 68           05/11/2010            09/23/2010 (A)             135\n     Entity 4      Employee 5           03/29/2011            04/13/2011 (A)              15\n     Entity 5      Employee 1           12/15/2008            04/07/2010 (R)             478\n     Entity 5      Employee 3           12/16/2008            10/01/2009 (A)             289\n     Entity 5      Employee 5           12/08/2008            09/18/2009 (A)             284\n     Entity 5     Employee 19           03/08/2009            01/04/2010 (A)             302\n\nNote: Employee 1 of entity 5 was shown as an authorized user from the time his approval\nexpired, until entity 5 requested that he be removed from the APHIS list of authorized users.\nOfficials of the entity stated that the employee retired January 3, 2009, 19 days after his approval\nexpired. However, the entity did not request APHIS to remove the individual from the list of\nauthorized users until April 7, 2010.\n\n\n.\n\n\n\n\n30      AUDIT REPORT 33701-0001-AT\n\x0cAbbreviations\nAPHIS ......................... Animal and Plant Health Inspection Service\nBSE ............................. Bovine Spongiform Encephalopathy\nCDC ............................ Centers for Disease Control and Prevention\nCFR ............................. Code of Federal Regulations\nCJIS ............................. Criminal Justice Information Service\nFESAP......................... Federal Experts Security Advisory Panel\nHHS............................. Health and Human Services\nNSAR .......................... National Select Agent Registry\nPPQ ............................. Plant Protection and Quarantine\nRO ............................... Responsible Official\nSRA ............................. Security Risk Assessment\nUSDA.......................... Department of Agriculture\n\n\n\n\n                                                              AUDIT REPORT 33701-0001-AT   31\n\x0c32   AUDIT REPORT 33701-0001-AT\n\x0cAgency\xe2\x80\x99s Response\n\n\n\n\n                  USDA\xe2\x80\x99S\n         ANIMAL AND PLANT HEALTH\n           INSPECTION SERVICE\xe2\x80\x99S\n         RESPONSE TO AUDIT REPORT\n\n\n\n\n                       AUDIT REPORT 33701-0001-AT   33\n\x0c\x0cUnited States\nDepartment of\n                         MEMORANDUM\nAgriculture\n\nAnimal and Plant\n                         TO:                Gil H. Harden                            September 28, 2012\nHealth Inspection                           Assistant Inspector General\nService\n                                            For Audit\nWashington, DC\n20250\n                         FROM:              Kevin Shea /s/\n                                            Acting Administrator\n\n                         SUBJECT: Animal and Plant Health Inspection Service\xe2\x80\x99s Response\n                                  and Request for Management Decisions on the Office\n                                  of Inspector General (OIG) Report, \xe2\x80\x9cFollow-Up on\n                                  on Animal and Plant Health Inspection Service\xe2\x80\x99s\n                                  Implementation of the Select Agent or Toxin Regulations\xe2\x80\x9d\n                                  (33701-01-AT)\n\n                         Thank you for the opportunity for the Animal and Plant Health Inspection Service\n                         (APHIS) to comment on this report.\n\n                         APHIS is committed to protecting the health of animals and plants and their\n                         products through the effective management and implementation of the select agent\n                         and toxin regulations. In its report, OIG stated that its findings resulted in\n                         \xe2\x80\x9cpotentially dangerous violations going undetected\xe2\x80\x9d or \xe2\x80\x9cjeopardizing the health of\n                         persons, plants or animals.\xe2\x80\x9d We believe none of the findings uncovered dangerous\n                         violations that jeopardized the health of persons, plants, or animals. We believe\n                         that such language is unduly alarming and suggest that it should be revised or\n                         removed from the audit report.\n\n                         We have addressed each Recommendation. In the majority of the\n                         Recommendations, we already have polices and/or procedures in effect that address\n                         the Recommendations. In other instances, we have included our planned corrective\n                         actions and the timeframes for implementing these actions.\n\n                         Recommendation 1\n\n                         Revise inspection procedures to include steps for sampling and reviewing\n                         access logs, access privileges, and electronic entry records (if available) to\n                         ensure entities are adhering to restricted access requirements, including log\n                         book documentation requirements.\n\n                         APHIS Response: APHIS does not concur with this Recommendation. APHIS\xe2\x80\x99\n                         current inspection procedures include sampling and reviewing access logs, access\n                         privileges, and electronic entry records during renewal inspections as well as annual\n\n                    Safeguarding American Agriculture\n                                                                                                   Federal Relay Service\n                    APHIS is an agency of USDA\xe2\x80\x99s Marketing and Regulatory Programs                 (Voice/TTY/ASCII/Spanish)\n                    An Equal Opportunity Provider and Employer                                     1-800-877-8339\n\x0ccompliance reviews. Select agent inspector training provided by APHIS\nspecifically addresses the process to examine records and to compare those\nexaminations with the list of authorized personnel. However, APHIS will review\nthe inspection checklists to determine if more specificity is necessary. This review\nwill be completed by December 3, 2012.\n\nRecommendation 2\n\nRevise the checklists and guidance used by inspectors to include (1) steps to\nidentify evidence of required training, including what documents are needed to\nverify an individual\xe2\x80\x99s understanding of the training, and (2) the scope of an\ninspector\xe2\x80\x99s training documentation review to identify the period of time for\nwhich training records were reviewed.\n\nAPHIS Response: APHIS does not concur with this Recommendation. Select\nagent inspector training provided by APHIS specifically addresses the process to\nexamine the entity\xe2\x80\x99s records to ensure that the training requirements are fulfilled.\nAPHIS inspectors review training records typically from the date of the last\ninspection forward by both APHIS and Centers for Disease Control and Prevention\n(CDC) on-site inspectors. APHIS will review the inspection checklists to determine\nif more specificity is necessary. This review will be completed by December 3,\n2012.\n\nRecommendation 3\n\nDevelop and implement procedures to ensure that all affected parties receive\ncommunication of relevant information regarding significant decisions, such as\nthe approval of a transfer of a select agent, before such determinations are\nmade.\n\nAPHIS Response: APHIS does not concur with this Recommendation. APHIS\nhas a Standard Operating Procedure for transfers, titled \xe2\x80\x9cProcedure for Processing\nRequest to Transfer Select Agents and Toxins, APHIS/CDC Form 2,\xe2\x80\x9d which was\napproved January 16, 2011. This document addresses how requests for transfers are\ncommunicated within APHIS and CDC. Part of the transfer process includes\nreviewing whether APHIS movement permits are valid for the recipient and sender\nof the select agent. If the transfer includes a CDC-only select agent or toxin, CDC\nmust approve the request. In the transfer case cited in the OIG report, all\nprocedures were followed correctly.\n\nRecommendation 4\n\nNotify each registered entity to clarify that its RO must ensure that SRA\nrenewals are done timely and not allowed to expire.\n\nAPHIS Response: APHIS does not concur with this Recommendation. APHIS\nnotifies the Responsible Official (RO) of the security risk assessment (SRA)\nexpiration dates as a courtesy, and it is the ROs\xe2\x80\x99 responsibility to ensure that SRAs\n                                          2\n\x0care renewed on time. However, the Federal Select Agent Program (FSAP) will\ndevelop a guidance document for ROs which will remind ROs that it is their\nresponsibility to see that employee SRAs are renewed in a timely fashion. This\ndocument will be completed by December 3, 2012.\n\nRecommendation 5\n\nEstablish policies and procedures for handling requests from registered\nentities to transfer select agents, under special circumstances, such as when an\nentity must relocate, to facilities that are not registered with the select agent\nprogram.\n\nAPHIS Response: APHIS concurs with this Recommendation. The FSAP will\ndevelop a section of the registration form for entities to register for storage only.\nFSAP will also develop guidance for inspectors and entities on the requirements for\nsuch facilities. These actions will be completed and implemented by September 30,\n2013.\n\nRecommendation 6\n\nProvide guidance to registered entities that clarifies the restricted access\nrequirements for select agent registered space. Specifically, the guidance\nshould (1) clearly define \xe2\x80\x9caccess\xe2\x80\x9d and the meaning of \xe2\x80\x9cability to gain\npossession\xe2\x80\x9d and (2) clarify whether access is prohibited to all areas registered\nfor select agent use, storage, and transfer, and include examples of appropriate\nand inappropriate access control scenarios.\n\nAPHIS Response: APHIS concurs with this Recommendation. APHIS will clarify\n\xe2\x80\x9caccess\xe2\x80\x9d and \xe2\x80\x9cability to gain possession\xe2\x80\x9d in its security plan guidance document and\nescort policy guidance document. These documents will be revised by June 28,\n2013.\n\nRecommendation 7\n\nEnsure that the company that allowed the scientist who was not SRA\napproved, restricts access to that individual or obtains appropriate approvals\nto allow that individual to have access to select agent registered space.\n\nAPHIS Response: Shortly after OIG advised us of this incident, APHIS sent an\ninspection team, that also included APHIS Investigative and Enforcement Services,\nto review the incident. APHIS subsequently issued a letter of warning to the entity\non February 3, 2012. The entity has assured APHIS in writing that the individual\nno longer has access to the registered space.\n\n\n\n\n                                          3\n\x0cRecommendation 8\n\nRequire the company that allowed unapproved maintenance workers keycard\naccess for select agent areas to revise its security plan to reflect how it provides\naccess to registered areas for conducting maintenance activities.\n\nAPHIS Response: APHIS does not concur with this Recommendation. In Title 9\nof the Code of Federal Regulations (CFR) section 121.11(c) and 7 CFR 331.11(c),\nthe select agent regulations state that entities must specify in their security plan\nprovisions for controlling access to select agents and toxins and provisions for\nroutine cleaning, maintenance, and repairs. In the specific instance cited above, the\nentity had removed select agents from the registered area; therefore, the\nmaintenance workers did not have access to select agents. The entity\xe2\x80\x99s security\nplan properly identifies the procedures for access and escort of non-SRA personnel\nin areas where there is the potential for access to select agent regulations.\nTherefore, changes are not needed to the entity\xe2\x80\x99s security plan.\n\nRecommendation 9\n\nDetermine whether the company that sought permission to allow unescorted\naccess by unapproved maintenance workers continues to engage in the practice\nof allowing unescorted access. If so, require the company to revise its security\nplan to include a provision to allow unescorted maintenance workers and\ndescribe the types of additional security measures to be implemented when\nunescorted persons are present.\n\nAPHIS Response: APHIS does not concur with this Recommendation.\nRegulations in 9 CFR 121.11(c) and 7 CFR 331.11(c) state that entities must\nspecify in their security plan provisions for controlling access to select agents and\ntoxins and provisions for routine cleaning, maintenance, and repairs. In the specific\ninstance cited above, the entity had removed select agents from the registered area;\ntherefore, the maintenance workers did not have access to select agents. The\nentity\xe2\x80\x99s security plan properly identifies the procedures for access and escort of\nnon-SRA personnel in areas where there is the potential for access to select agent\nregulations. Therefore, changes are not needed to the entity\xe2\x80\x99s security plan.\n\nRecommendation 10\n\nDevelop and implement policies and procedures for monitoring ROs to ensure\nthe ROs are seeking timely renewals or terminations of individuals\xe2\x80\x99 SRAs.\n\nAPHIS Response: APHIS does not concur with the Recommendation. APHIS will\nanalyze the discrepancies provided by OIG to determine the reasons for possible\nlapses in individuals\xe2\x80\x99 SRAs. If needed, we will develop processes to address these\nlapses. The analysis will be completed by December 3, 2012.\n\n\n\n\n                                          4\n\x0cRecommendation 11\n\nDevelop and conduct training for all ROs and alternate ROs that provides the\ninformation necessary to effectively oversee the select agent program. The\nsession should provide a method of assessing that ROs and alternate ROs\nunderstood the training.\n\nAPHIS Response: APHIS does not concur with this Recommendation. The FSAP\nheld workshops on RO duties and responsibilities on November 16, 2011; May 10,\n2011; June 15, 2010; August 12, 2009; and December 9, 2008. We will hold\nanother workshop for ROs on November 16, 2012. A training requirement for ROs\nand alternate ROs was included in the proposed rule published in December 2011,\ntitled \xe2\x80\x9cAgricultural Bioterrorism Protection Act of 2002; Biennial Review and\nRepublication of the Select Agent and Toxin List; Amendments to the\nSelect Agent and Toxin Regulations.\xe2\x80\x9d The public comments we received did not\nsupport such a requirement. However, FSAP will develop guidance document that\ndescribes RO responsibilities; this will be completed by December 3, 2012.\n\nRecommendation 12\n\nProvide guidance to each RO re-emphasizing the requirement that biosafety\nand security training must be provided to and documented for all authorized\nindividuals with access to select agents. The guidance should state that\ndocumentation of the training must include the name of the attendee, a\ndescription of the training, date of the training, and the means used to verify\nthat the employee understood the training. The guidance should also state that\nthese records must be maintained for 3 years.\n\nAPHIS Response: APHIS does not concur with this Recommendation. The\ncurrent regulations in 9 CFR 121.15(c) and 7 CFR 331.15(c) already require that\ndocumentation of the training include the name of the attendee, a description of the\ntraining, date of the training, and the means used to verify that the employee\nunderstood the training. The 3-year records retention is also a requirement in 9\nCFR 121.17(c) and 7 CFR 331.17(c). We will re-emphasize the training\nrequirements in the RO guidance document that will be finalized by December 3,\n2012. (This guidance document is the same document mentioned in\nRecommendations 4 and 11.) These requirements will also be specified in the\nsecurity guidance document that will be developed by December 3, 2012.\n\n\n\n\n                                         5\n\x0cInformational copies of this report have been distributed to:\n\nActing Administrator, Animal and Plant Health Inspection Service\nGovernment Accountability Office\nOffice of Management and Budget\nOffice of the Chief Financial Officer\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\n\nHow To Report Suspected Wrongdoing in USDA Programs\nFraud, Waste, and Abuse\nEmail: usda.hotline@oig.usda.gov\nPhone: 800-424-9121 Fax: 202-690-2474\nBribes or Gratuities:\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on the basis of race, color, national origin,\nage, disability, and where applicable, sex (including gender identity and expression), marital status, familial status, parental status, religion, sexual\norientation, political beliefs, genetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public assistance program.\n(Not all prohibited bases apply to all programs.) Persons with disabilities who require alternative means for communication of program information\n(Braille, large print, audiotape, etc.) should contact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD). USDA is an equal opportunity provider\nand employer.\n\x0c'